Enterprises and other organizations implement network access control in order to control the ability of client devices to communicate on a computer network. For example, an enterprise may implement a computer network that includes an email server. In order to prevent unauthorized users from communicating with this email server, the enterprise may implement a network access control system that prevents unauthorized users from sending network communications on the computer network unless the users provide a correct username and password. In another example, an enterprise may wish to prevent devices that are infected with computer viruses from communicating with devices on a network of the enterprise. In this example, the enterprise may implement a network access control system that prevents devices that do not have current anti-virus software from communicating on the network.
Three separate types of devices are typically present in networks that implement network access control. These devices typically include client devices, policy devices, sometimes referred to as policy decision points, and access devices. Client devices are devices that are attempting to connect to the network. Policy devices evaluate information from the client devices in order to decide whether to grant the client devices access to a network. One example of a policy device is an authentication server, such as a Remote Access Dial-In User Service (“RADIUS”) server. Access devices enforce the decisions made by the policy decision points with regard to individual client devices. Access devices include, for example, wireless access points and network gateway devices.
Access devices are commonly deployed at the edge of the computer network and interface with the client devices by challenging the client devices to provide authentication information prior to granting access to the network. Confronted with this authentication challenge, a given client device then provides authentication information, which the access device forwards to the policy device, which is usually deployed in a more centralized location of the computer network so as to service a plurality of access devices. The policy device authenticates the forwarded authentication information in accordance with one or more policies and forwards the result of the authentication back to the access device. The access device then grants the client device access to the computer network based on the received result.
Typically, when the client device moves to a new physical location, requiring connection to the same computer network via an access device coupled to a different policy device, this access device and the policy device to which the access device is connected require the client device to re-authenticate itself before granting the client device access to the computer network. Such re-authentication commonly occurs regardless of whether the client device was successfully authenticated before.